On Fri, Dec 06, 2013 at 07:41:17AM -0430, Andres Perera wrote: | On Fri, Dec 6, 2013 at 7:09 AM, Paul de Weerd <[email protected]> wrote: | > On Fri, Dec 06, 2013 at 06:59:02AM -0430, Andres Perera wrote: | > | with C you can be very explicit about where you store and when you zero out | > | > with shell you can be very explicit about where you store and when you | > zero out | | well, | | instead of `read PASSWORD', the code could've stored the password in a | file
Oh really? How then, pray tell, would you've gotten the PASSWORD in that file? How do you get input from the user and store it in a file, without using read in a shell script? | pipe it to openssl for unlocking, and rm -P that along with the | cleartext version of the db, avoiding problems w/transporting with a | possibly external printf that broadcasts in ps(1), or a tmpfile-backed | heredoc Naddy's original post didn't use printf, it used echo. It didn't use a tmpfile-backed heredoc, it piped in the password to openssl's stdin using the builtin echo. You're describing problems that could've been if Naddy had been more clumsy. But he wasn't, Naddy didn't do any of that. Here's something else Naddy could've done (but didn't): He could've put the password on a public website and used ftp -o - to pass it into openssl. He didn't do something stupid like that. Suggesting this and arguing against it contributes nothing. So I don't. You are arguing about things that didn't happen. You're not contributing anything of value either. The problem with you is that you think you did... | this way you are explicit, also reusing logic already present | | it's still clumsy way of cleartext store, and exposes the file to | other user processes | | on the other hand, ptrace() means memory is exposed to other user processes | | so, you are still being a silly person and i don't feel like stressing | that further | | > | > | with shell it's easy to be clumsy in this particular domain | > | > with C it's easy to be clumsy in this particular domain | > | > | > What you said is true, sure, but it also holds the other way around. | | what you said is like reading a book of chinese sayings; ie you | contributed nothing | | > | > Paul 'WEiRD' de Weerd | > | > -- | >>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+ | > +++++++++++>-]<.>++[<------------>-]<+.--------------.[-] | > http://www.weirdnet.nl/ | -- >++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+ +++++++++++>-]<.>++[<------------>-]<+.--------------.[-] http://www.weirdnet.nl/
